Splunk® Enterprise Security

Release Notes

This documentation does not apply to the most recent version of Splunk® Enterprise Security. For documentation on the most recent version, go to the latest release.

Known issues for Splunk Enterprise Security

Splunk Enterprise Security 7.2.0 was released on September 6, 2023. For more information on release dates for the major versions of Splunk Enterprise Security, see Software Support Policy page.

This release includes the following known issues.


Date filed Issue number Description
2024-02-06 SOLNESS-40942 IR page stuck in Updating after user with ess_analyst role updates notables.
2024-01-12 SOLNESS-40632 Discrepancy in the notable events timeline visualization.

Workaround:
No workaround
2023-12-05 SOLNESS-40127, SOLNESS-40436 Identity Manager with values in the "blacklist" or "blacklist_fields" fields are ignored.

Workaround:
Update the exclusion fields using the UI. Go to *Configure > Data Enrichment > Assets & Identity Management.* Select the relevant asset or identity lookup. Update the Denylist checkbox or update the field exclusion list.
2023-11-30 SOLNESS-40082 Timeline options for the Investigations do not display correctly for Splunk Enterprise Security version 7.0.2 and higher.
2023-11-30 SOLNESS-40087 In Drilldown Searches, "Latest Offset" UI helper text displays "Earliest Time" instead of "Latest Time".
2023-11-09 SOLNESS-39519 Saved filters in the Incident Review page results in a blank page after upgrading to version 7.2.
2023-11-07 SOLNESS-39507 Updating notable event actions results in the following error: "The update failed: 'list' object has no attribute 'startswith'"
2023-11-02 SOLNESS-39506 Asset and identity enrichment for "dest" assets causes alignment issue in the Incident Review page.

Workaround:
dest_asset is not needed in Incident Review. The fields Destination IP, Destination DNS, Destination NT Hostname, Destination MAC Address can be added separately.
2023-11-02 SOLNESS-39469 Cannot customize fields in Risk Analysis DataModel
2023-10-20 SOLNESS-39223 Modular input "confcheck_es_bias_language_cleanup" displays an error after upgrade even if it is disabled.

Workaround:
  1. Modify the following file:
    On the search head cluster:
    /opt/splunk/etc/shcluster/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
    On a standalone ES instance this file:
    /opt/splunk/etc/apps/SplunkEnterpriseSecuritySuite/README/input.conf.spec
  2. Add the following comment at the end of the file.

    Conf File Check for Bias Language

    [confcheck_es_bias_language_cleanup://default]

    debug = <boolean>

      3. (Optional steps if you are on standalone search head)
    1. Push changes to search head cluster by pushing the bundle apps.
    2. Clean the messages from the top of the page so that they do not display again.
    3. In case of a standalone search head, restart the Splunk process.

2023-10-11 SOLNESS-39022 No results returned when searching for a notable using the Short ID.
2023-10-02 SOLNESS-38795 Error using the max_mem_usage_mb macro when upgrading from ES 7.0.2.

Workaround:
Make a clone of the notable macro, but remove the portions having to do with the get_drilldown_searches macro:

{noformat}[get_drilldown_searches] definition = streamstats count as drilldown_event_id | eval updated_drilldown_searches=if((isnull(drilldown_searches) OR match(drilldown_searches, "\[\]")), json_array(json_object("name", drilldown_name, "search", drilldown_search, "earliest_offset", drilldown_earliest_offset, "latest_offset", drilldown_latest_offset)), drilldown_searches) | eval updated_drilldown_searches=json_array_to_mv(updated_drilldown_searches, true()) | mvexpand updated_drilldown_searches | spath input=updated_drilldown_searches path=name output=_temp_dd_name_ | spath input=updated_drilldown_searches path=search output=_temp_dd_search_ | spath input=updated_drilldown_searches path=earliest_offset output=earliest_offset | spath input=updated_drilldown_searches path=latest_offset output=latest_offset | eval drilldown_index_earliest=case(isint(earliest_offset) AND isint(use_index_time),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_indextime',1=1,null()),drilldown_index_latest=case(isint(latest_offset) AND isint(use_index_time),_time+latest_offset,latest_offset="$info_max_time$",'info_max_indextime',1=1,null()), earliest_offset=case(isint(earliest_offset),_time-earliest_offset,earliest_offset="$info_min_time$",'info_min_time',1=1,null()), latest_offset=case(isint(latest_offset),_time+latest_offset,latest_offset="$info_max_time$",'info_max_time',1=1,null()) | eval updated_drilldown_obj=json_object("name", _temp_dd_name_, "search", _temp_dd_search_, "earliest", earliest_offset, "latest", latest_offset, "index_earliest", drilldown_index_earliest, "index_latest", drilldown_index_latest) | fields - _temp_dd_search_, _temp_dd_name_, earliest_offset, latest_offset, updated_drilldown_searches | eventstats list(updated_drilldown_obj) as updated_drilldown_obj by drilldown_event_id | dedup drilldown_event_id | eval drilldown_searches=if(((isnull(drilldown_searches) AND isnull(drilldown_search)) OR match(drilldown_searches, "\[\]")), null(), updated_drilldown_obj) | fields - drilldown_event_id, updated_drilldown_obj{noformat}

2023-09-22 SOLNESS-38777 Error message might be displayed when expanding notables in the Incident Review page.
2023-09-11 SOLNESS-38498 The Risk Score field is not displayed as a link when you expand the rows in Incident Review and go to Additional Fields.
2023-09-07 SOLNESS-38261 Unable to filter for events using "event_id=notable_id" in the Incident Review page and getting redirected to default filters.
2023-08-30 SOLNESS-37237 Cloned dashboards in Splunk Enterprise Security version 7.1.1 returns a 404 error.
2023-08-25 SOLNESS-37062 New drill-down searches in the Correlation Editor can show validation errors if they were saved earlier.
2023-08-08 SOLNESS-36864 The Timeline visualization on the Incident Review page does not zoom in when double clicked.
2023-08-02 SOLNESS-36801 Clicking the Save or Save new filters twice might cause the Incident Review page page to freeze or remain unresponsive.
2023-07-27 SOLNESS-36746, SOLNESS-36748 Notable title with non-existent tokens are normalized with "empty strings" in Incident Review page.
2023-07-27 SOLNESS-36731 Timeline visualization on the Incident Review page cannot activate or deactivate the timeline buttons.
2023-07-25 SOLNESS-36660 Timeline visualization on the Incident Review page does not allow you to zoom in on a selection of less than 1 minute.
2023-07-20 SOLNESS-36590 The script 'confcheck_es_bias_language_cleanup' is reported as missing in Splunk Enterprise Security 7.2.0.
2023-07-18 SOLNESS-36563 Timeline on Incident Review page: cannot select a bar that was previously deselected

Workaround:
Select, then deselect, a different bar. Then select the bar that you originally wanted to select.
2022-09-14 SOLNESS-32647 Saved searches created in the Content Management page with private settings are not displayed.
Last modified on 27 March, 2024
Fixed issues for Splunk Enterprise Security   How to find answers and get help with Splunk Enterprise Security

This documentation applies to the following versions of Splunk® Enterprise Security: 7.2.0

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters